Computer worms are one of the most challenging problems facing computer security researchers today. The value of a computer network is a function of its speed and the number of connected computers making up the network. However, both fast and large networks enable computer worms to propagate very rapidly.
Computer worms like W32.SoBig.F, W32.Nimda, W32.Sircam and W32.Datom enumerate the network shares to which their local computer has write access, and then either copy themselves over those writable network shares or infect executable files located on the corresponding remote, writable network locations.
Computer researchers have identified some useful worm management techniques that focus on the behavioral analysis of computer worms when they propagate through open writable network shares. One such technique uses a behavioral based blocking method of comparing the content of a binary file copied to a remote network share with the content of the copying program, when the copying program itself has arrived through an open network share.
Most research effort has focused on the behavioral analysis of worms at the source computer while they propagate through open network shares. There has been almost no effort focused on analyzing the behavior of worms at the target computer to which the worms are copied. In Microsoft Windows NT®, remote clients can read and write to files across the network. Microsoft's srv.sys is a kernel level operating system component that provides an interface between remotely initiated file input/output requests and the local file system. As such, srv.sys is not itself a file system, but rather a fileserver. Unfortunately, srv.sys provides very little information concerning the source computer that initiated a local file write operation. Therefore, it has not been practicable for researchers to provide worm management solutions based on analyzing worm behavior on the target computer.
However, worm analysis at a source computer can be potentially problematic. For instance, analyzing a worm at the source computer requires the worm to be active and running, and therefore to already have control of the local software environment. Thus, the worm being analyzed can damage both the local and the network computer resources. Moreover, the worm will have the ability to fight any security software installed on the local computer.
In addition, a user of the source computer generally has to take some sort of action in order to activate the worm in the first place. For instance, the user might activate the worm by opening an executable attachment to an e-mail, or by clicking on a worm file located in one of the user's folders. Thus, source computer worm blocking techniques require action on a user's part.
What is needed are methods, systems and computer readable media for detecting worms when they arrive at target computers via open network shares.